🚀 Join our AI Wargame at Black Hat Asia and our Workshop + Wargame at NDC Sydney .


Secret Disclosure

Secrets (API keys, private keys, etc) are exposed in the code repository or source code. Unnecessary exposure of sensitive data increase likelihood of the system compromise.

Remediation

  • Immediately reset the disclosed secrets
  • Remove any instances of hardcoded secrets from the code
  • Refactor the app to use environment variables or secret files (mounted to the container at run time).
  • As the secret has been exposed for a prolonged time, it may have been misused to create persistence (e.g. creating another malicious keys). Create a IoC and monitor for usage of all the disclosed secrets. Monitor for suspicious authenticated activities especially privilege actions
  • Remove secrets from the git history using a tool like git filter-repo or BFG Repo-Cleaner

Metadata

  • Severity: high
  • Slug: secret-disclosure

CWEs

  • 212: Improper Removal of Sensitive Information Before Storage or Transfer
  • 798: Use of Hard-coded Credentials

OWASP

  • A05:2021: Security Misconfiguration
  • A07:2021: Identification and Authentication Failures

Available Labs

Select a language to explore available labs for this vulnerability.

No matching labs found

Try adjusting your language filter.

Deco line
Deco line

Play AppSec WarGames

Want to skill-up in secure coding and AppSec? Try SecDim Wargames to learn how to find, hack and fix security vulnerabilities inspired by real-world incidents.

For Companies Play Now
Deco line
Deco line

Got a comment?

Join our secure coding and AppSec community. A discussion board to share and discuss all aspects of secure programming, AppSec, DevSecOps, fuzzing, cloudsec, AIsec code review, and more.

Read more